I would like Endpoint Protection to do one of the following things:
a. Log to file/winevent when infected - on the actual client
b. Log to file/winevent when infected - on server

For all the Companies using log analytics tools there are no good way to get the information. We use a custom sql-trigger to kick off a PowerShell script which writes an logentry to EventLog on the server. That is suboptimal to say at least.

The dashboards for EP in ConfigMgr is not good enough and really ineffective when you have a lot of detections.

https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection

The ConfigMgr client should collect event log troubleshooting data for Win Defender ATP. The data should be surfaced in the dashboard and be available for creating dynamic collections queries (so you can act on it). A security tool that doesn't clearly show you where it is/isn't working is very problematic.

Minor thing, but in Defender under Win10, excluded Files and Folders are separate, and Items in Antimalware policies, regardless weather File or Folder are shown in Defender/Win10 settings under Excluded Files. (the exclusion however still works so that is why it's a minor thing)

We need to be able to prevent admin users from disabling or uninstalling SCEP without a secondary form of authentication/protection.

Wildcards can not be used when configuring Excluded Processes in Exclusion Settings in the anti-malware policy.
Since it is judged as an invalid character string, please add a function so that it can be used.

With Windows Defender alone, you can use wildcards for process exclusion.

Use wildcards in the process exclusion list
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-process-exclusion-list

Integrate some management of Windows Defender Offline Scan. For a first iteration, add the ability to schedule an offline scan during next reboot to Fast Channel Notifications.

On a future iteration, allow anti-malware policy to schedule an offline scan every X days on reboot.

Allow for the provisioning, management and recovery of bitlocker protected volumes using sccm.

Currentlly, if this option is set, the users have the option to change the time (it is not greyed out like all the other settings which users are not allowed to change), but cannot save changes (UAC admin "save changes" button). Only users with local admin rights are allowed to apply the changes.

for refresh/reinstall scenarios in WinPE where you have an already MBAM managed/Bitlockered client, and you want to reinstall it or refresh to a new os, the OS drive is bitlockered and therefore you cannot read it or pull data from it (USMT), we've used various versions of this for MBAM https://www.windows-noob.com/forums/topic/4173-how-can-i-retrieve-my-bitlocker-recovery-key-from-mbam-in-windows-pe/ but it would be nice if this ability was integrated within ConfigMgr now that MBAM is integrated too and to do it securely via https

New anti-malware platform updates are released periodically. It would be good to have the latest version included as part of the ConfigMgr client installation so that clients can take advantage of the latest features in Endpoint Protection.

We manage desktops and servers in the same SCCM infrastructure but by different teams. When we create antimalware policies, we have resorted to prefixing every entry with either desktop - ... or server - ... This would be great to support a folder structure to keep this clean. We have 45 policies so far and that list will probably swell to 75 or 100. RBA per folder would be a bonus.

The current SCEP import only handles XML feeds for import through the SCCM console. XML is no longer supported and is replaced by JSON, can we please have the import updated to handle JSON instead?

I wrote a PowerShell custom detection method that reads the event viewer logs and thereby returns a failed installation if an infection is logged in the event viewer. The application installation is therefore a powershell script that initiates a full system scan. For the custom detection to be successful, there must be an event viewer entry of the full system scan after the infection entry. I have written up the process in my blog posting here: http://mickitblog.blogspot.com/2015/12/automating-microsoft-endpoint-full.html

Hi Team,

We currently do not have ability to put exclusions specific to individual machines. This can oly be done through collections and policies. Why dont we give the ability to end point amdinistrator group to add exclusiosns to individual machines based on requests which is possible through McAfee.

Thanks,
Vinayak

I would like to see configuration managers end point agent be able to detect and block thumb drives and do web content filtering via the agent.

In the Devices view, ATP onboarding state is only reported for Windows 10 devices. Other OS have a blank state.

Currently (Oct-Nov 2018) working on an ATP trial with a customer who has +90% Windows 7 workstations. Support for Windows versions previous to Windows 10 is currently a preview feature for ATP. Still, having the ATP onboarding state and related info for Windows pre-10, would provide for a much nicer overview. The customer doesn't want to hear to upgrade to Windows 10 all the time.